Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Epic Games Forums Hacked, SQL Injection Vulnerability Blamed

A SQL injection vulnerability is being blamed in the hack of 800,000 users accounts for popular gaming forums run by Epic Games.

Epic Games is warning users of a breach that impacts 800,000 user accounts tied to the company’s online forums. On Monday, the game developer temporarily shut down many of its forums and advised users to change passwords on any accounts that shared the same credentials for some of its forums.

Epic Games said the breach is tied to Unreal Engine and Unreal Tournament forums and that the data stolen included email addresses and “other data entered into the forums.” Data was stolen from the company’s vBulletin account databases and, according to Epic Games, did not include “passwords in any form, neither salted, hashed, nor plaintext,” according to a statement posted by the company.

“While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset,” Epic Games wrote.

On Monday, Epic Games also reported a more serious breach impacting the game forums for Infinity Blade, UDK, previous Unreal Tournament games, and Gears of War. With these breaches, the hackers gained access to email addresses, salted hashed passwords and other data associated with those forums.

Epic Games is urging those forum users to secure credentials, and especially be wary of password reuse. “If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password,” Epic Games advises.

Not impacted, according to Epic Games, are forums for the games Paragon, Fortnite, Shadow Complex, and SpyJinx.

We have placed our forums in maintenance mode while we investigate the recent compromise.

In a Tweet Epic Games alerted its users late Monday: “We have placed our forums in maintenance mode while we investigate the recent compromise.”

Security expert Deral Heiland, research lead at Rapid7, said the hack is tied to known SQL injection vulnerabilities. Heiland said the Epic Games forum hack is the latest in a long string of forum hacks tied to the use of outdated and unpatched vBulletin forum software.

Epic Games would not confirm to Threatpost the root of the attack.

“This breach is another reminder that SQL injection – which has been around since 1998 – doesn’t appear to be going away anytime soon. Current reporting of this event indicates that vBulletin forum software was still in use with a known SQLi vulnerability,” Heiland wrote a statement regarding the Epic Games breach.

Heiland advises any Epic Game user to change their passwords in light of the forum breaches. “Although Epic claims that most of the password hashes are not easily cracked, it’s important for users to remember that with motivation and time nothing is impossible. In addition to passwords, potentially, attackers could have email addresses and private messages at their fingertips,” he said.

In its statement issued Monday Epic Games wrote: “We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.